One of the things that openid connect does well (and who knows what the elements discussed in secret do, do not, will not, or will do) is articulate the role of identifiers and discovery. We see the ideas already manifesting in the wordpress world as one “connects” up the windows 8 app to a self-hosted blog site that itself hosts a server-side app called jetpack. Jetpack itself connects up to the wordpress cloud, being one of several sites that now associated with an account managed by wordpress.com.
Lets get practical!
Logon to wordpress.com (getting an account if required). Have wordpress.com host a blog site for you. Goto windowsazure.com and login (getting an account too, if required). Have azurewebsites host an azure website for wyou (provisioned with wordpress). Configure both so they operate classically, and then connect them up – which is the novel bit. Do that as I outlined in an earlier memo by installing, configuring and “connecting” the jetpack plugin for the azurewebsite hosted site to wordpress.com
The net effect is this:- on presenting your wordpress.com identity you will now be see listings of 2 sites. One happens to be hosted by wordpress.com; the other hosted in azurewebsites. You may be presenting your identity while, for example, using the share button in windows 8 that augments the internet browser (but not the desktop browser). Share with the wordpress app that you presumably installed into your windows 8 experience and see that a wordpress.com login prompt is displayed. Use your wordpress.com account, see the selector for the multiple “sites” now “discovered” to be assocated with that account, and pick one.
if you pick the azurewebsite hosted wordpress, you will eventually see a login prompt from that site and you may logon using the identity credentials you were assigned THERE. Note how there is NO SSO (at this point in the pre “openid connect” rollout).
So note that one “cloud” identity was used for discovery – of your “social network of sites” and another was used for local logon to those self-hosted wordpress sites that are autonomous of the cloud identity system. But note that the autonomy is strained. For the azurewebsite site can only leverages cloud services (tied to the could identity) when in some sense it “governs” the locally-hosted instance.
Now we have used this all successfully with the jetpack powered install we made yesterday and with the windows 8 wordpress app. The latter apparnetly uses the JSON API of our zurewebsite hosted wordpress site – and indeed we see such as stats from that site appear in the cloud portal (tied to our cloud identity).Similarly, we see stats from the wordpress.com hosted site (yorkporc) to which we can actually logon directly, with the cloud identity, too (unlike our self-hosted wordpress instance).
What I had expected to find, since this is a usage of the JSON API, is that the OAUTH authorization and sts endpoint of wordpress.com would be controlling access to the API endpoints in my locally-hosted wordpress instance. And, Id expect to see some “applications” listed now, for at least the windows 8 app – which is obviously a semi-trusted “interactive app” vs a website app that plugins a frame to the likes of a facebook page.